[FS#943] iptables 1.6.1 ignores locks

LEDE Bugs lede-bugs at lists.infradead.org
Tue Aug 1 02:31:58 PDT 2017

A new Flyspray task has been opened.  Details are below. 

User who did this - Charlemagne Lasse (charlemagnelasse) 

Attached to Project - LEDE Project
Summary - iptables 1.6.1 ignores locks
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - Just flashed a device with the current snapshot of LEDE (https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/; r4657-bb4d500). And then I've wanted to use locking with iptables but noticed that the lock was just not working:

root at LEDE:/# strace iptables -w -L
open("/run/xtables.lock", O_RDONLY|O_CREAT|O_LARGEFILE, 0600) = -1 ENOENT (No such file or directory)
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
getsockopt(3, SOL_IP, IPT_SO_GET_INFO, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0

The lock was basically ignored and the socket was opened without the lock opened. The package is missing following things:

 * change https://git.netfilter.org/iptables/commit/?id=836846f0d747e1be8e37d2d43b215a68b30ea1a9
 * change https://git.netfilter.org/iptables/commit/?id=b91af533f4da15854893ba5cc082e1df6bcf9a97
 * change https://git.netfilter.org/iptables/commit/?id=80d8bfaac9e2430d710084a10ec78e68bd61e6ec
 * iptables Makefile change to add following configure option: --xt-lock-name=/var/lock/xtables.lock

It is not save to use multiple (writing) iptables processes without locking. It is therefore a rather big problem that it is broken at the moment

More information can be found at the following URL:

More information about the lede-bugs mailing list